Symantec outs Regin, a stealthy and modular spy tool

Symantec has revealed details about a family of malware it says is a “top tier” espionage tool with sophisticated features on a level comparable with Flame and Stuxnet.

According to Symantec, the feature-laden Regin malware that has remained below the radar until now has been used in spy campaigns targeting numerous industries since at least 2008.

While the security vendor says the Regin was likely used by a nation state, it does not point at a particular nation as the source of the malware.

The two biggest targets of the malware on a national basis were the Russian Federation, followed by Saudi Arabia, which together accounted for 52 percent of total infections. Neither China nor the United States were identified as significant targets.

The primary target by sector appears to be telecoms backbone providers, which accounted for 28 percent of the total, however the majority of targets were private individuals and small businesses. Other significant targets by sector included hospitality, energy, airline and research.

Regin activity was at its height between 2008 and 2011, later resurfacing in a new form in 2013, which remains in use today.

“Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure,” Symantec noted in a blog post.

In a technical whitepaper Symantec released on Sunday, the company described Regin as an “extremely complex piece of software that can be customized with a wide range of different capabilities which can be deployed depending on the target.”

The malware is notable for the lengths its makers went to ensure the malware and its activities remained inconspicuous.

Read more: The week in security: Wearable tech shaking up security, privacy concerns

Symantec said that Regin could have taken years to make, even with a well-resourced team of developers. The company infers this from the malware’s extensive range of modules, which allow its controllers to swap out payloads to suit individual targets. The other evidence of labour are the methods used to conceal the malware, which include a custom-built encrypted virtual file system and its use of a variant of the rarely used RC5, a cipher designed by RSA.

Regin has six key components that coordinate to deliver the main payloads, which varies by target but typically enable information gathering and can be customised to sniff network traffic, crawl the infected machine’s file system, retrieve deleted files, remotely control mouse and click activities, and take screen grabs among dozens of payload options.

One advanced payload was a tool that monitored Microsoft IIS web server traffic. Another was a tool that collected administration traffic for mobile network base station controllers — the layer in a mobile network that handles traffic between handsets and base stations as mobile users move between coverage areas.

While the company extensively details features of Regin, crucial elements that might allow it to attribute the malware campaign to a specific country are missing.

One mystery is the exact method used to compromise victims. So far, Symantec researchers have not identified a “reproducible infection vector”. However, log files on one infected computer showed that Regin originated from Yahoo IM through an unconfirmed exploit.

Also, Symantec’s technical paper highlights that the C&C used four transport protocols to communicate between infected computers and its command servers but not the IP addresses or web domains used by the attackers.

Symantec explained to CSO Australia in a statement that:

“The threat works not by making an outbound connection, but waiting for the attacker to connect to it via an inbound connection. It has the potential ability to make and initiate an outbound connection, but we have no such samples configured that way. All the samples we have are configured to rely on a peer-to-peer structure of communication and an infection at the border gateway of an organization that awaits contact by the attacker and further will proxy commands to internally compromised machines.”

Other nations that account for between nine to five percent of infections included Mexico, Ireland, India, Afghanastan, Iran, Belgium, Austria and Pakistan.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Enex TestLabmalwareChinasymantecsurveillanceFireEyeUnited StateskasperskyStuxnetsaudi arabiaCSO Australianew releaseRC5spy toolReginRussian Federation

Show Comments